Are Cookies Crumbling?

Today the internet is a more sophisticated beast and we are seldom alone online.

March 2011

"On the internet, nobody knows you’re a dog". This caption, from a cartoon by Peter Steiner, first appeared in the New Yorker magazine in 1993. It shows two dogs; one on a chair in front of a computer screen speaking to the other, looking up from the floor. The image and caption neatly demonstrated the ability of computer users to be anonymous when on the internet.

That was 1993. Today the internet is a more sophisticated beast and we are seldom alone online. Tracking online activity is at the heart of any commercial website, whether this is logging purchases to a shopping cart, remembering users and their preferences or presenting advertising based on understanding the prior browsing behaviour of the user. To twist Steiner’s adage to today, "On the internet, websites know you are a Labrador looking for a new collar".

Cookie technology has played an important role in this transformation of the internet into a key part of today’s global economy. Cookies are small text files that a website transfers to a user’s computer to store and sometimes track information about their online activity.

What's the current law?

Cookies, and equivalent technologies that store or gain access to information on a user’s equipment, are governed by European law in the shape of the e-Privacy Directive (2002/58/EC). This law is implemented in the UK as the Privacy and Electronic (EC Directive) Regulations 2003, (the ‘Regulations’). The Regulations require those deploying cookies or equivalent technologies to give clear and comprehensive information about why these are used and to offer the right to refuse. This information, along with an opt-out, is typically found in website privacy policies, and usually explains to the user that they can block cookies through their browser settings (although this is not always correct, depending on the type of cookie, see below).

What's about to change?

All this is about to change. In December 2009, the e-Privacy Directive was revised. Like all directives it must be applied in each EU country through national law and we await the UK law - the revised Directive must be implemented by May 25th 2011.

The Directive was revised to include - among other things - a shift from notice and opt-out, to a requirement for user consent except where the cookie use is "strictly necessary" to provide a service "explicitly requested" by the user. This, if interpreted narrowly, could have fundamental consequences for publishers and advertisers, and thus the way in which content can be monitized.

Some commentators have seized on a Recital to the revised Directive (a Recital being, broadly, part of a general introduction) which states that user consent may be expressed using the appropriate settings of a browser or other application. However, the value of this Recital was rejected in all but limited cases by an Independent European advisory body on data protection, the ‘Article 29 Working Party’. In an Opinion on Online Behavioural Advertising’ adopted on 22 June 2010, the Working Party points out that most browser software is automatically set to accept cookies and that some cookies (so-called ‘flash cookies) can even override the browser settings selected by a user.

At the end of 2010 the Government consulted on its proposals for the changes the UK needs to make to its laws to implement the revised Directive. The Government has stepped back from the debate on key questions such as how best to show consent, or when is a cookie ‘strictly necessary’, and the Government seems likely to adopt a ‘copy-out’ approach to the Directive – basically copying out the operative sections word for word, without addressing any ambiguity - so that the UK regulator, the ‘Information Commissioner’, has flexibility when interpreting the law and developing guidance. A draft UK law is expected in April, and we will report on the draft law and its implications for business at the time.

Industry recommendations

In the meantime, commercial stakeholders are working hard to add practical flesh to the bones of the Directive by engaging in dialogue on industry standards with all interested parties. To this end, the European Advertising Standards Alliance (‘EASA’) is consulting on Draft Best Practice Recommendations for a Europe-wide self regulatory compliance mechanism for Online Behavioural Advertising. It is clear that initiatives such as this need to be treated seriously by European regulators if there is any prospect of the revised Directive leading to harmonised mechanisms to achieve cookie consent throughout Europe.